Please login to the form below
How will new data protection law affect pharma?
Sarah Eglington, of Wilmington Healthcare, explores how GDPR will change pharma’s relationship with healthcare professionals
Introduction
A new European law, known as the General Data
Protection Regulation (GDPR), will come into effect on May 25, changing the way
that data is held and processed, and threatening heavy fines for
non-compliance.
For pharma companies that are fully compliant
with the robust data protection laws currently in place, the changes they need
to make for GDPR are likely to be minimal. However, significant challenges lie
ahead for those with poor data management practices.
What will
change under GDPR?
Changes
to the law generally result from dissatisfaction, or a plea for change from the
masses. Transparency and the individual’s right to control how and where their
personal data is used are central to GDPR.
The responsibility for data protection
compliance currently lies with the individual company that holds or uses the
data, regardless of whether it purchased that data under licence from a
supplier like Wilmington Healthcare, or generated it from its own list of
contacts.
This will remain the same under GDPR.
However, companies will also have to define the legal basis on which they are
holding or using the data; the relevance of their product or service to an
individual on the database and the purpose of their communications to that
person.
Although companies will not be allowed to hold
data on people unless it is relevant to their business, there is some leeway in
terms of how they can justify an individual’s inclusion on a database under GDPR,
since it allows companies to have multiple legal bases for holding or processing
data for different purposes. These range from consent from the individual where
applicable, to potentially a legal or public interest reason to provide certain
information like regulatory updates based on the healthcare professional’s role
as a prescriber.
A lot of pharma companies and data providers are
processing healthcare professional data on the legal basis known as legitimate
interest. Under GDPR, legitimate interest means an organisation has an unambiguous
reason to hold someone’s information on its database, but it hasn’t necessarily
obtained their consent. In such circumstances, it is good practice to send out
an information notice to the individual, informing them that they are on a
particular database, why and for what purpose, and giving them an opportunity
to opt out if they wish.
How can
companies prepare for GDPR?
We recommend that companies conduct a data
audit and profile their data to define how it is used for sales and marketing
purposes. Companies must be prepared to be ruthless when it comes to deleting information
that is not relevant to their purpose or business. They must also have a single
point of access for their database.
The next step is to define the legal basis
for processing data e.g. consent, legitimate interest, vital interest, legal
obligation or public task. Companies then need to inform data subjects of the
information held, legal basis, purpose and how to opt-out either through an
information notice, a data protection notice on a communication, a notice of
change of terms on a website or other appropriate means.
Other important tasks to
ensure compliance include defining the company’s data protection approach and
its data protection policy. GDPR statements and processes should be documented
and companies must produce a privacy impact assessment. If they are processing
under legitimate interest, they must complete a legitimate assessment too,
which defines their basis for processing under that definition using a
necessity and balancing test.
It is important for companies to ensure they
have a nominated data protection officer – in a smaller company this will be
the CEO or equivalent. They must also brief and train their staff, so they are
aware and aligned. This is absolutely vital to ensure compliance, and we are
currently writing a training course to guide companies through the process.
On the issue of staff, the biggest data protection risk for pharma companies is sales
representatives taking their own lists from databases. Restricting access to the
database is, therefore, key to minimise a breach. To counter this, some
companies are even writing rules on database use into employment contracts.
Companies should keep records of their
approach to GDPR and how they have prepared for it. Pharma must also be
prepared to respond in the event of an access request or complaint from a data
subject, or with regards to a GDPR breach.
On an ongoing basis, good
database management is absolutely essential. So, if, for example, an HCP has
asked to be removed from a database, this must be recorded to ensure that
person is not accidentally contacted again.
Conclusion
While the work required to comply with GDPR may seem
arduous to some, we must not lose sight of the purpose of this new legislation.
Ultimately, HCPs and other individuals want more control over their personal
data. Respecting their rights in this regard is key to building deeper and more
meaningful relationships with them; relationships that put quality, ahead of
quantity, and create genuine value for both parties.
Ends
Sarah
Eglington is Client Services Director at Wilmington Healthcare. For information
on Wilmington Healthcare, log on to www.wilmingtonhealthcare.com
Contact
Website
Address:
Beechwood House
2-3 Commercial Way
Christy Close
Southfields
Basildon
SS15 6EF
United Kingdom
- UNDERSTANDING THE ROLE OF PLACE WITHIN THE NEW NHS: FIVE THINGS INDUSTRY NEEDS TO KNOW
- Operating a level below system, “place” is an increasingly important unit of NHS organisation, yet it remains an evolving concept that is not always well-understood among industry practitioners. In this latest quick-read briefing, Oli Hudson, Content Director at Wilmington Healthcare, lifts the veil on what place is, how it works and why it matters.
Wilmington Healthcare
- MISSION CRITICAL: HOW PHARMA CAN HELP THE NHS IMPROVE CARE FOR OLDER PEOPLE
- With around two-thirds of all hospital beds occupied by over-65s, the care of older patients has long been recognised as key to the sustainability of the NHS. So how is it responding to this challenge, and what can industry do to support it? Oli Hudson, Content Director at Wilmington Healthcare, explains what’s changing and how industry should respond.
Wilmington Healthcare
- ALL CHANGE FOR SPECIALISED COMMISSIONING: FOUR THINGS INDUSTRY NEEDS TO KNOW ABOUT THE LATEST REFORMS
- With a recent NHSEI policy document confirming that a major shake-up of arrangements for Specialised Commissioning is imminent, Oli Hudson, Content Director at Wilmington Healthcare (wilmingtonhealthcare.com), describes the key changes and why they matter for pharma and med-tech companies.
Wilmington Healthcare
- HOW DID COVID-19 AFFECT PRESCRIBING BEHAVIOURS? FIVE KEY FINDINGS FROM A NEW STATE OF THE NATION REVIEW
- Published earlier this month, Wilmington Healthcare’s new State of the Nation report draws on a raft of data from across primary and secondary care to show what actually happened to the NHS and its prescribing behaviours during the peak of the pandemic. Oli Hudson summarises five of the key findings:
Wilmington Healthcare
- ALL SYSTEMS GO: UNDERSTANDING WHO’S WHO IN THE NEW NHS LANDSCAPE
- With the Health and Care Act safely passed, Oli Hudson introduces six key stakeholders that will loom large in the new landscape.
Wilmington Healthcare
- Spending on anti-depressants soars as the pandemic’s effect on NHS prescribing patterns is revealed
Wilmington Healthcare